(ca *CA)
| 60 | } |
| 61 | |
| 62 | func (p *PKI) renewCertsForCA(ca *CA) error { |
| 63 | ca.mu.Lock() |
| 64 | defer ca.mu.Unlock() |
| 65 | |
| 66 | log := p.log.With(zap.String("ca", ca.ID)) |
| 67 | |
| 68 | // only maintain the root if it's not manually provided in the config |
| 69 | if ca.Root == nil { |
| 70 | if ca.needsRenewal(ca.root) { |
| 71 | // TODO: implement root renewal (use same key) |
| 72 | log.Warn("root certificate expiring soon (FIXME: ROOT RENEWAL NOT YET IMPLEMENTED)", |
| 73 | zap.Duration("time_remaining", time.Until(ca.interChain[0].NotAfter)), |
| 74 | ) |
| 75 | } |
| 76 | } |
| 77 | |
| 78 | // only maintain the intermediate if it's not manually provided in the config |
| 79 | if ca.Intermediate == nil { |
| 80 | if ca.needsRenewal(ca.interChain[0]) { |
| 81 | log.Info("intermediate expires soon; renewing", |
| 82 | zap.Duration("time_remaining", time.Until(ca.interChain[0].NotAfter)), |
| 83 | ) |
| 84 | |
| 85 | rootCert, rootKey, err := ca.loadOrGenRoot() |
| 86 | if err != nil { |
| 87 | return fmt.Errorf("loading root key: %v", err) |
| 88 | } |
| 89 | interCert, interKey, err := ca.genIntermediate(rootCert, rootKey) |
| 90 | if err != nil { |
| 91 | return fmt.Errorf("generating new certificate: %v", err) |
| 92 | } |
| 93 | ca.interChain, ca.interKey = []*x509.Certificate{interCert}, interKey |
| 94 | |
| 95 | log.Info("renewed intermediate", |
| 96 | zap.Time("new_expiration", ca.interChain[0].NotAfter), |
| 97 | ) |
| 98 | } |
| 99 | } |
| 100 | |
| 101 | return nil |
| 102 | } |
| 103 | |
| 104 | // needsRenewal reports whether the certificate is within its renewal window |
| 105 | // (i.e. the fraction of lifetime remaining is less than or equal to RenewalWindowRatio). |
no test coverage detected